PCI DSS is the abbreviation of “Payment Card Industry Data Security Standard”. It is a widely accepted actionable framework for developing a robust payment card data security process -- including prevention, detection and appropriate reaction to security incidents. The PCI DSS was created jointly in 2004 by four major credit-card companies: Visa, MasterCard, Discover and American Express. Any credit, debit or cash card should apply this standard.

The volume of card transactions has been doubled in the last ten years; and payments by consumers for online and in-app purchases are continuously growing too. Yet the number of frauds in recent years rises accordingly. Cardholders use their debit or credit cards to purchase products or services and risk financial losses, so we have to make sure that all the sensitive transaction data are well protected.

What is the aim of PCI DSS and whom should it apply to?

PCI DSS provides a baseline of technical and operational requirements designed to optimize the security of card transactions and protect cardholders against misuse of their personal information. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, service providers, and all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

What are requirements of PCI CSS?

PCI DSS consists of 12 requirements, which are divided into 6 major objectives.

1. Build and Maintain a Secure Network and Systems

• Install and maintain a firewall configuration to protect cardholder data
• Do not use vendor-supplied defaults for system passwords and other security parameters

2. Protect Cardholder Data

• Protect stored cardholder data, such as dates of birth, mothers' maiden names, Social Security numbers, phone numbers and mailing addresses, wherever they are stored.
• Encrypt transmission of cardholder data across open, public networks

3. Maintain a Vulnerability Management Program

• Protect all systems against malware and regularly update anti-virus software or programs.
• Develop and maintain secure systems and applications. Frequently install patches provided by software and operating system vendors to ensure the highest possible level of vulnerability management.

4. Implement Strong Access Control Measures

• Restrict access to cardholder data unless the businesses must know that information for protection and effectively carry out a transaction.
• Identify and authenticate access to system components
• Restrict physical access to cardholder data

5. Regularly Monitor and Test Networks

• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes to ensure that all security measures are functioning properly and up-to-date.

6. Maintain an Information Security Policy

• Maintain a policy that addresses information security for all personnel

Reference: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf?agreement=true&time=1519792890776